afan
/
gitea
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
gitea源码
3 Commits
2 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gitea/routers/web/user/setting/security/webauthn.go

webauthn.go 4.2KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package security

  5. 

  6. import (

  7. 	"errors"

  8. 	"net/http"

  9. 	"strconv"

  10. 	"time"

  11. 

  12. 	"code.gitea.io/gitea/models/auth"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	wa "code.gitea.io/gitea/modules/auth/webauthn"

  15. 	"code.gitea.io/gitea/modules/log"

  16. 	"code.gitea.io/gitea/modules/session"

  17. 	"code.gitea.io/gitea/modules/setting"

  18. 	"code.gitea.io/gitea/modules/web"

  19. 	"code.gitea.io/gitea/services/context"

  20. 	"code.gitea.io/gitea/services/forms"

  21. 

  22. 	"github.com/go-webauthn/webauthn/protocol"

  23. 	"github.com/go-webauthn/webauthn/webauthn"

  24. )

  25. 

  26. // WebAuthnRegister initializes the webauthn registration procedure

  27. func WebAuthnRegister(ctx *context.Context) {

  28. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  29. 		ctx.HTTPError(http.StatusNotFound)

  30. 		return

  31. 	}

  32. 

  33. 	form := web.GetForm(ctx).(*forms.WebauthnRegistrationForm)

  34. 	if form.Name == "" {

  35. 		// Set name to the hexadecimal of the current time

  36. 		form.Name = strconv.FormatInt(time.Now().UnixNano(), 16)

  37. 	}

  38. 

  39. 	cred, err := auth.GetWebAuthnCredentialByName(ctx, ctx.Doer.ID, form.Name)

  40. 	if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {

  41. 		ctx.ServerError("GetWebAuthnCredentialsByUID", err)

  42. 		return

  43. 	}

  44. 	if cred != nil {

  45. 		ctx.HTTPError(http.StatusConflict, "Name already taken")

  46. 		return

  47. 	}

  48. 

  49. 	_ = ctx.Session.Delete("webauthnRegistration")

  50. 	if err := ctx.Session.Set("webauthnName", form.Name); err != nil {

  51. 		ctx.ServerError("Unable to set session key for webauthnName", err)

  52. 		return

  53. 	}

  54. 

  55. 	webAuthnUser := wa.NewWebAuthnUser(ctx, ctx.Doer)

  56. 	credentialOptions, sessionData, err := wa.WebAuthn.BeginRegistration(webAuthnUser, webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{

  57. 		ResidentKey: protocol.ResidentKeyRequirementRequired,

  58. 	}))

  59. 	if err != nil {

  60. 		ctx.ServerError("Unable to BeginRegistration", err)

  61. 		return

  62. 	}

  63. 

  64. 	// Save the session data as marshaled JSON

  65. 	if err = ctx.Session.Set("webauthnRegistration", sessionData); err != nil {

  66. 		ctx.ServerError("Unable to set session", err)

  67. 		return

  68. 	}

  69. 

  70. 	ctx.JSON(http.StatusOK, credentialOptions)

  71. }

  72. 

  73. // WebauthnRegisterPost receives the response of the security key

  74. func WebauthnRegisterPost(ctx *context.Context) {

  75. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  76. 		ctx.HTTPError(http.StatusNotFound)

  77. 		return

  78. 	}

  79. 

  80. 	name, ok := ctx.Session.Get("webauthnName").(string)

  81. 	if !ok || name == "" {

  82. 		ctx.ServerError("Get webauthnName", errors.New("no webauthnName"))

  83. 		return

  84. 	}

  85. 

  86. 	// Load the session data

  87. 	sessionData, ok := ctx.Session.Get("webauthnRegistration").(*webauthn.SessionData)

  88. 	if !ok || sessionData == nil {

  89. 		ctx.ServerError("Get registration", errors.New("no registration"))

  90. 		return

  91. 	}

  92. 	defer func() {

  93. 		_ = ctx.Session.Delete("webauthnRegistration")

  94. 	}()

  95. 

  96. 	// Verify that the challenge succeeded

  97. 	webAuthnUser := wa.NewWebAuthnUser(ctx, ctx.Doer)

  98. 	cred, err := wa.WebAuthn.FinishRegistration(webAuthnUser, *sessionData, ctx.Req)

  99. 	if err != nil {

  100. 		if pErr, ok := err.(*protocol.Error); ok {

  101. 			log.Error("Unable to finish registration due to error: %v\nDevInfo: %s", pErr, pErr.DevInfo)

  102. 		}

  103. 		ctx.ServerError("CreateCredential", err)

  104. 		return

  105. 	}

  106. 

  107. 	dbCred, err := auth.GetWebAuthnCredentialByName(ctx, ctx.Doer.ID, name)

  108. 	if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {

  109. 		ctx.ServerError("GetWebAuthnCredentialsByUID", err)

  110. 		return

  111. 	}

  112. 	if dbCred != nil {

  113. 		ctx.HTTPError(http.StatusConflict, "Name already taken")

  114. 		return

  115. 	}

  116. 

  117. 	// Create the credential

  118. 	_, err = auth.CreateCredential(ctx, ctx.Doer.ID, name, cred)

  119. 	if err != nil {

  120. 		ctx.ServerError("CreateCredential", err)

  121. 		return

  122. 	}

  123. 	_ = ctx.Session.Delete("webauthnName")

  124. 	_ = ctx.Session.Set(session.KeyUserHasTwoFactorAuth, true)

  125. 	ctx.JSON(http.StatusCreated, cred)

  126. }

  127. 

  128. // WebauthnDelete deletes an security key by id

  129. func WebauthnDelete(ctx *context.Context) {

  130. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  131. 		ctx.HTTPError(http.StatusNotFound)

  132. 		return

  133. 	}

  134. 

  135. 	form := web.GetForm(ctx).(*forms.WebauthnDeleteForm)

  136. 	if _, err := auth.DeleteCredential(ctx, form.ID, ctx.Doer.ID); err != nil {

  137. 		ctx.ServerError("GetWebAuthnCredentialByID", err)

  138. 		return

  139. 	}

  140. 	ctx.JSONRedirect(setting.AppSubURL + "/user/settings/security")

  141. }